Malware family packages a large number of exploits that give all-powerful root access.
Researchers have detected a family of malicious apps, some that were available in Google Play, that contain malicious code capable of secretly rooting an estimated 90 percent of all Android phones.

In a recently published blog post, antivirus provider Trend Micro said that Godless, as the malware family has been dubbed, contains a collection of rooting exploits that works against virtually any device running Android 5.1 or earlier. That accounts for an estimated 90 percent of all Android devices. Members of the family have been found in a variety of app stores, including Google Play, and have been installed on more than 850,000 devices worldwide. Godless has struck hardest at users in India, Indonesia, and Thailand, but so far less than 2 percent of those infected are in the US.
Once an app with the malicious code is installed, it has the ability to pull from a vast repository of exploits to root the particular device it's running on. In that respect, the app functions something like the many available exploit kits that cause hacked websites to identify specific vulnerabilities in individual visitors' browsers and serve drive-by exploits. Trend Micro Mobile Threats Analyst Veo Zhang wrote:

Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community.

In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.

The first Godless apps stored the rooting exploits in a binary file called libgodlikelib.so directly on an infected device. Once an app is installed, it waits for the device screen to turn off and then proceeds with its rooting routine. After it successfully roots the device, it installs an app with all-powerful system privileges so it can't be easily be removed. The earlier apps also install a system app that implements a standalone Google Play client that automatically downloads and installs apps. The client can also leave feedback in Google Play to fraudulently improve certain apps’ rankings.

More recent Godless apps download the rooting exploit and payload from the server located at hxxp://market[.]moboplay[.]com/softs[.]ashx, most likely so that the malware can bypass security checks done by Google Play and other app stores. The later variants also install a backdoor with root access in order to silently install apps on affected devices.

The post went on to say that "various apps in Google Play," including utility apps such as flashlights and Wi-Fi apps and copies of popular games, contain the malicious rooting code. Trend identified only one such app by name. It was called Summer Flashlight, and had been installed from 1,000 to 5,000 times. The app was recently ejected from Google Play, but for the time being, its listing is still available in search engine caches.

Evil twin

The Trend post also said researchers encountered a large number of benign apps in both Google Play and elsewhere that have corresponding malicious versions that share the same developer certificate. "Thus, there is a potential risk that users with non-malicious apps will be upgraded to the malicious versions without them knowing about apps’ new malicious behavior. Note that updating apps outside of Google Play is a violation of the store’s terms and conditions."

Godless is only the latest Android malware to use rooting bugs to gain a persistent foothold on handsets. Last November, researchers discovered a family of more than 20,000 trojanized apps that used powerful exploits to gain root access to the Android operating system.
Root exploits aren't automatically malicious. People often deliberately use them to expand the capabilities of their devices or to bypass restrictions imposed by carriers or manufacturers. But because root exploits have the ability to circumvent key Android security protections, users should run them only after thoroughly researching the topic and the specific app that's doing the rooting. As always, Android users should avoid using third-party app stores, with the notable exception of Amazon's. Even when downloading from one of these stores, users should avoid apps from unknown developers.